Easily found bug in free demo let visitors track phones from four top US carriers.

A little-known service has been leaking the real-time locations of US cell phone users to anyone who takes the time to exploit an easily spotted bug in a free trial feature, security news site KrebsOnSecurity reported Thursday.

LocationSmart, as the service is known, identifies the locations of phones connected to AT&T, Sprint, T-Mobile, or Verizon, often to an accuracy of a few hundred yards, reporter Brian Krebs said. While the firm claims it provides the location lookup service only for legitimate and authorized purposes, Krebs reported that a demo tool on the LocationSmart website could be used by just about anyone to surreptitiously track the real-time whereabouts of just about anyone else.

The tool was billed as a demonstration prospective customers could use to see the approximate location of their own mobile device. It required interested people to enter their name, email address, and phone number into a Web form. LocationSmart would then text the phone number and request permission to query the cellular network tower closest to the device. It didn’t take long for Robert Xiao, a security researcher at Carnegie Mellon University, to find a way to work around the authorization requirement.

As Krebs explained:

But according to Xiao, a PhD candidate at CMU’s Human-Computer Interaction Institute, this same service failed to perform basic checks to prevent anonymous and unauthorized queries. Translation: anyone with a modicum of knowledge about how websites work could abuse the LocationSmart demo site to figure out how to conduct mobile number location lookups at will, all without ever having to supply a password or other credentials.

“I stumbled upon this almost by accident, and it wasn’t terribly hard to do,” Xiao said. “This is something anyone could discover with minimal effort. And the gist of it is I can track most people's cell phones without their consent.”

Xiao said his tests showed he could reliably query LocationSmart’s service to ping the cell phone tower closest to a subscriber’s mobile device. Xiao said he checked the mobile number of a friend several times over a few minutes while that friend was moving. By pinging the friend’s mobile network multiple times over several minutes, he was then able to plug the coordinates into Google Maps and track the friend’s directional movement.

“This is really creepy stuff,” Xiao said, adding that he’d also successfully tested the vulnerable service against one Telus Mobility mobile customer in Canada who volunteered to be found.

Before LocationSmart’s demo was taken offline today, KrebsOnSecurity pinged five different trusted sources, all of whom gave consent to have Xiao determine the whereabouts of their cell phones. Xiao was able to determine within a few seconds of querying the public LocationSmart service the near-exact location of the mobile phone belonging to all five of my sources.

One of those sources said the longitude and latitude returned by Xiao’s queries came within 100 yards of their then-current location. Another source said the location found by the researcher was 1.5 miles away from his current location. The remaining three sources said the location returned for their phones was between approximately one-fifth to one-third of a mile at the time.

Xiao published a detailed description of the demo bug. It showed how simple changes to the demo's Web requests were able to bypass the requirement a location be queried only after a phone user approved.

LocationSmart founder and CEO Mario Proietti told Krebs he never intended to give away the service. “We make it available for legitimate and authorized purposes,” Krebs quoted the CEO as saying. “It’s based on legitimate and authorized use of location data that only takes place on consent. We take privacy seriously, and we’ll review all facts and look into them.”

In a statement Sen. Ron Wyden (D-Ore) wrote: “This leak, coming only days after the lax security at Securus was exposed, demonstrates how little companies throughout the wireless ecosystem value Americans’ security. It represents a clear and present danger, not just to privacy but to the financial and personal security of every American family. Because they value profits above the privacy and safety of the Americans whose locations they traffic in, the wireless carriers and LocationSmart appear to have allowed nearly any hacker with a basic knowledge of websites to track the location of any American with a cell phone.”

Krebs contacted all four of the major US mobile carriers, and all declined to confirm or deny a formal business relationship with LocationSmart, despite LocationSmart displaying the carriers’ corporate logos on its website. A T-Mobile spokesperson said the company quickly shut down any transaction of customer location data to Securus after its services recently became known. Other than that, the companies referred Krebs to their privacy policies, which all prevent the sharing of location information without customer consent or a demand from law enforcement.

Krebs went on to cite an official at the Electronic Frontier Foundation who said cellular carriers by law are required to know the approximate location of customers in the event it’s needed by emergency 911 services. Whether the carriers are permitted to sell or otherwise provide the information to other third parties is less clear. Expect there to be much more scrutiny about this in the coming weeks and months.

In a statement sent Friday morning, LocationSmart officials wrote:

LocationSmart provides an enterprise mobility platform that strives to bring secure operational efficiencies to enterprise customers. All disclosure of location data through LocationSmart’s platform relies on consent first being received from the individual subscriber. The vulnerability of the consent mechanism recently identified by Mr. Robert Xiao, a cybersecurity researcher, on our online demo has been resolved and the demo has been disabled. We have further confirmed that the vulnerability was not exploited prior to May 16th and did not result in any customer information being obtained without their permission. On that day as many as two dozen subscribers were located by Mr. Xiao through his exploitation of the vulnerability. Based on Mr. Xiao’s public statements, we understand that those subscribers were located only after Mr. Xiao personally obtained their consent. LocationSmart is continuing its efforts to verify that not a single subscriber’s location was accessed without their consent and that no other vulnerabilities exist. LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process.

A reminder that customer information isn't necessarily the same as information belonging to members of the general public. It's also not clear how LocationSmart was able to determine the leak vulnerability wasn't exploited until Wednesday. Ars asked a LocationSmart representative to clarify and will update if the company responds.